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ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
Capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 Does the draft guidance cover the relevant issues about the right 
of access? 


Yes 
No 


Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


The draft guidance covers most of the relevant issues very well, but there are some 
issues which it does not address fully. In particular, there is a lack of guidance about how 
to handle data which does not directly relate to the data subject making the request but 
is (or may be) personal data relating to that person nonetheless. For example, an 
organisation may process information about residential properties in such a manner that 


the information amounts to personal data. In these circumstances, providing information 
relating to the property in which the individual lives may reveal information about other 
occupants of that property. The ICO may wish to expand the section headed “What 
should we do if the request involves information about other individuals?” to cover such 
situations more clearly. 


Q2 Does the draft guidance contain the right level of detail? 


x Yes 
No 


Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


Q3 Does the draft guidance contain enough examples? 


x Yes 
No 


Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


We have no particular suggestions on this point. 


Q5 On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
O O O O 


Q6 Why have you given this score? 


The guidance generally provides helpful, practical guidance which clarifies GDPR 
requirements rather than merely restating them. Organisations should be able to find 
answers to most of their questions about the right of access in this document. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
O 0O [El 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


We have the following additional comments about the draft guidance: 


1. Page 4 says that “for information to be personal data, it must relate to a living person who can 
be identified from that information (directly or indirectly)”. This appears to be a relatively narrow 
definition of personal data. Personal data includes data relating to individuals who are 


identifiable, not just those who are identified. Additionally, the individuals do not have to be 
identifiable solely from the data in question; it is sufficient if they are identifiable from other data 
if that is a means reasonably likely to be used to identify them. The link to further guidance on 
the definition of personal data is helpful, but perhaps the statement quoted above should be 
rephrased into an example rather than an absolute statement of what personal data is. 


Page 7 suggests examples of steps that controllers could take to ensure security of personal 
data. lt says “Have measures in place to securely send information. For example, by using a 
trusted courier or having a system to check email addresses before sending.” The reference to 
use of a trusted courier may be taken to suggest that the ordinary postal service is not 
considered sufficiently secure. Is that the ICO’s view? Additionally, we are not sure what kind of 
“system to check email addresses” the ICO is referring to; it would be helpful if the ICO could 
explain what kind of checks on email addresses it has in mind here. 


In the section on “Can we ask for ID?” starting on page 19, we suggest that the ICO should 
make clear that where a request is being made by a third party on behalf of a data subject, it 
may be necessary to identify both the data subject and the third party. If the third party's 
identity is not verified then another person could impersonate a third party who has authority to 
submit the request. 


Under “What efforts should we make to find information?” on page 19, the new guidance 
seems to have departed from the position under the old code of practice. The requirement to 
make “extensive efforts” was previously qualified with “Even so, you are not required to do 
things that would be unreasonable or disproportionate to the importance of providing subject 
access to the information.” We consider that this language continues to be valid and to provide 
an illustrative counterbalance to the (otherwise open-ended) "extensive efforts” requirement. 


Page 21 indicates that the time for responding to a subject access request does not begin until 
the controller has received any necessary evidence of identity. Pages 23 and 24 indicate that 
the time for responding to a subject access request continues to run while the controller is 
waiting for any clarifications from the data subject about their request. It is difficult to reconcile 
these positions in practice. In particular, as noted on page 20, the level of identity checks that a 
controller should perform depends on the harm and distress that may be caused if the personal 
data is disclosed to the wrong person. That in turn depends on what personal data is to be 
disclosed, and that will sometimes need to be clarified with the data subject. Accordingly, it 
seems logical to seek any required clarifications to the data subject's request before asking 
them for evidence of identity. This seems inconsistent with the suggestion that the time for 
responding to the subject access request runs while the controller is seeking clarifications but 
does not begin until evidence of identity has been received. It would be helpful if the ICO could 
clarify its position on this point. 


Page 25 refers to the obligation to search electronic archive and backup systems. In many 
cases the information stored in those systems is likely to be identical to the information stored 
in live systems. We recommend that the guidance makes clear that it would not be 
proportionate to spend significant effort searching archive and backup systems where the 
information in it is likely to be the same as the information retrieved from live systems 
(especially where the information in archive and backup systems is not used for anything that 
has any impact on data subjects). 


Page 31 suggests that “/f an individual can download a copy of their personal data in a 
commonly used electronic format, then this satisfies the requirement to provide a copy, as long 
as the individual does not object to the format.” In our view, the last part of this sentence is 
misleading. If the information has been provided in a commonly used electronic format, then 
the requirement to provide access has been complied with. Data subjects are not given a right 
to specify what format the subject access response must be provided in, provided that the 
format is (objectively) reasonably accessible. To give an example, if a controller were to 
provide a response in PDF format, there is no basis for the data subject to object and require it 
in (say) Word or jpeg format instead. 


Page 61 is very brief. The ICO may wish to include a link to its existing guidance on “Credit” 
(https://ico.org.uk/your-data-matters/credit/) and/or “Credit Explained” 


(https://ico.org.uk/media/your-data-matters/documents/1282/credit-explained-dp-guidance.pdf) 
for data subjects who wish to read more about this topic. 


9. On page 61, “Consumer Credit Act’ should be followed by “1974”. 


Q9 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

X On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


TransUnion Information Group 


What sector are you from: 


Financial services 


Q10 How did you find out about this survey? 


O ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


E E A te E Y a ME kk oð 


Thank you for taking the time to complete the survey. 


